How to Write a Cyber Security Policy for Your Small Business (With Template)

Most small business owners know they probably need a cyber security policy. Far fewer have actually written one. If you are in that second group, you are not alone — and this guide is designed to get you from zero to a working policy without requiring a legal degree or an IT background.

Why a Written Policy Actually Matters

A cyber security policy is a written document that sets out the rules for how your business handles technology, data, and security. It sounds bureaucratic, but it serves three very practical purposes.

• Compliance and insurance: Cyber insurers increasingly ask whether you have documented security practices. If you make a claim and have no written policy, you may find your payout reduced or denied. The Privacy Act also expects businesses that handle personal data to have reasonable protections in place.
• Staff clarity: Without a written policy, staff make their own judgements about what is acceptable. Can they use their personal phone for work emails? Can they install software? Can they forward work files to a personal drive? A policy removes the ambiguity.
• Incident response: When something goes wrong — and at some point, something will — having a policy means you have a reference point. It tells staff what to do, who to tell, and how quickly.

What to Include in Your Policy

You do not need to cover everything on day one. Start with the areas that matter most to your business and build from there.

Acceptable Use

Define what business devices and systems can be used for. Is personal use of work laptops allowed? What about social media? Setting clear expectations here prevents misunderstandings and reduces the risk of staff inadvertently exposing the business to threats.

Password Rules

Specify that strong, unique passwords are required for all business accounts and that passwords must not be shared. If you use a password manager, name it here and make it part of onboarding. State your policy on multi-factor authentication — ideally that it is required for email, cloud services, and financial systems.

BYOD (Bring Your Own Device)

If staff use personal devices for work, your policy needs to address this. At minimum: require a PIN or biometric lock, mandate that work apps are kept up to date, and establish what happens to business data on a personal device if the employee leaves.

Remote Work

Remote work introduces risks that do not exist in a supervised office. Your policy should cover use of home Wi-Fi (and why public Wi-Fi is risky without a VPN), screen privacy in shared spaces, and secure storage of any physical documents.

Incident Reporting

Staff need to know what to do — and who to tell — if they suspect a breach, receive a suspicious email, or accidentally click something they should not have. Make this process simple and blameless. The faster an incident is reported, the faster it can be contained.

Software Installation

Unauthorised software is a common entry point for malware. Your policy should state that staff must get approval before installing software on work devices, and that software must only be downloaded from official sources.

Physical Security

Cyber security is not just digital. Include basics like locking screens when stepping away, not leaving laptops unattended in public, and shredding documents that contain sensitive information.

Short and Practical Beats Long and Ignored

One of the most common mistakes is writing a policy that is so detailed and dense that nobody reads it. A two-page policy that staff understand and follow will protect you far better than a forty-page document that sits in a drawer.

Write in plain English. Use bullet points. Avoid legal language unless it is genuinely necessary. If you would not read it yourself, your staff will not read it either.

Getting Staff to Actually Follow It

Writing a policy is the easy part. Getting buy-in is where most businesses struggle.

1. Make it part of onboarding: New staff should read and sign an acknowledgement of the policy on their first day. This sets expectations from the start.
2. Review it annually: Schedule a yearly refresh — both to update the content and to remind existing staff of the rules. A short team meeting is enough.
3. Lead by example: If the business owner bypasses the rules, staff will too. Senior leadership modelling good security behaviour is one of the most powerful signals you can send.
4. Make it easy to do the right thing: If following the policy is genuinely inconvenient, people will find workarounds. Provide the tools — a password manager, a clear reporting channel, approved software — that make compliance straightforward.

Free Templates From the ACSC

The Australian Cyber Security Centre (ACSC) offers free, practical resources specifically designed for small businesses. Their small business cyber security guide includes policy templates you can adapt without starting from scratch. Visit cyber.gov.au and search for the Small Business Cyber Security Guide to get started.

You do not need to spend money on a consultant to write your first policy. A few hours of focused work, a free template, and input from whoever manages your IT is enough to produce something genuinely useful. Start simple, get it done, and improve it over time.